-
Notifications
You must be signed in to change notification settings - Fork 191
Expand file tree
/
Copy pathrenovate-security-bump.sh
More file actions
executable file
·314 lines (263 loc) · 10.7 KB
/
renovate-security-bump.sh
File metadata and controls
executable file
·314 lines (263 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
#!/usr/bin/env bash
set -euo pipefail
# Shared script for Renovate to bump version and update CHANGELOG
# Supports both __version__.py and pyproject.toml versioning styles
# Auto-detects changed dependencies from git diff
# Use current working directory as repo root (where Renovate executes the script)
REPO_ROOT="${REPO_ROOT:-$(pwd)}"
CHANGELOG_FILE="${CHANGELOG_FILE:-$REPO_ROOT/CHANGELOG.md}"
# VERSION_FILE can be:
# - Path to __version__.py (traditional Python)
# - Path to pyproject.toml (modern Python with uv/poetry)
# - "auto" or unset to auto-detect
VERSION_FILE="${VERSION_FILE:-auto}"
echo "=== Renovate Security Version Bump ==="
# Auto-detect versioning style
detect_version_style() {
if [[ "$VERSION_FILE" == "auto" ]]; then
# Check for pyproject.toml with version field first (modern style)
if [[ -f "$REPO_ROOT/pyproject.toml" ]] && grep -qE "^version\s*=" "$REPO_ROOT/pyproject.toml"; then
VERSION_FILE="$REPO_ROOT/pyproject.toml"
VERSION_STYLE="pyproject"
echo "Auto-detected: pyproject.toml versioning"
# Check for common __version__.py locations
elif [[ -f "$REPO_ROOT/unstructured/__version__.py" ]]; then
VERSION_FILE="$REPO_ROOT/unstructured/__version__.py"
VERSION_STYLE="python"
echo "Auto-detected: __version__.py versioning"
else
echo "Error: Could not auto-detect version file. Set VERSION_FILE explicitly."
exit 1
fi
elif [[ "$VERSION_FILE" == *.py ]]; then
VERSION_STYLE="python"
echo "Using Python __version__.py style: $VERSION_FILE"
elif [[ "$VERSION_FILE" == *pyproject.toml ]]; then
VERSION_STYLE="pyproject"
echo "Using pyproject.toml style: $VERSION_FILE"
else
echo "Error: Unknown version file type: $VERSION_FILE"
exit 1
fi
}
# Read current version based on style
read_current_version() {
if [[ "$VERSION_STYLE" == "python" ]]; then
CURRENT_VERSION=$(grep -o -E "(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-dev[0-9]*)?" "$VERSION_FILE" | head -1)
elif [[ "$VERSION_STYLE" == "pyproject" ]]; then
# Extract version from pyproject.toml (handles both quoted styles)
CURRENT_VERSION=$(grep -E "^version\s*=" "$VERSION_FILE" | head -1 | sed -E 's/version\s*=\s*["\x27]?([^"\x27]+)["\x27]?/\1/' | tr -d ' ')
fi
echo "Current version: $CURRENT_VERSION"
}
# Calculate new release version
calculate_release_version() {
if [[ "$CURRENT_VERSION" =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)(-dev[0-9]*)?$ ]]; then
MAJOR="${BASH_REMATCH[1]}"
MINOR="${BASH_REMATCH[2]}"
PATCH="${BASH_REMATCH[3]}"
DEV_SUFFIX="${BASH_REMATCH[4]}"
if [[ -n "$DEV_SUFFIX" ]]; then
# Strip -dev suffix to release current version
RELEASE_VERSION="$MAJOR.$MINOR.$PATCH"
echo "Stripping dev suffix: $CURRENT_VERSION → $RELEASE_VERSION"
else
# Already a release version, bump to next patch
NEW_PATCH=$((PATCH + 1))
RELEASE_VERSION="$MAJOR.$MINOR.$NEW_PATCH"
echo "Bumping patch version: $CURRENT_VERSION → $RELEASE_VERSION"
fi
else
echo "Error: Could not parse version: $CURRENT_VERSION"
exit 1
fi
}
# Update version in __version__.py
update_python_version() {
echo "Updating $VERSION_FILE to version $RELEASE_VERSION"
# Detect quote style used in the file
if grep -q "__version__ = ['\"]" "$VERSION_FILE"; then
if grep -q "__version__ = \"" "$VERSION_FILE"; then
# Double quotes
sed -i.bak -E "s/__version__ = \"[^\"]+\"/__version__ = \"$RELEASE_VERSION\"/" "$VERSION_FILE"
else
# Single quotes
sed -i.bak -E "s/__version__ = '[^']+'/__version__ = '$RELEASE_VERSION'/" "$VERSION_FILE"
fi
else
echo "Error: Could not detect quote style in $VERSION_FILE"
exit 1
fi
# Verify the update succeeded
if ! grep -q "__version__ = ['\"]${RELEASE_VERSION}['\"]" "$VERSION_FILE"; then
echo "Error: Failed to update version in $VERSION_FILE"
exit 1
fi
rm -f "$VERSION_FILE.bak"
}
# Update version in pyproject.toml
update_pyproject_version() {
echo "Updating $VERSION_FILE to version $RELEASE_VERSION"
# Detect quote style (single or double quotes)
if grep -qE "^version\s*=\s*\"" "$VERSION_FILE"; then
# Double quotes
sed -i.bak -E "s/^(version\s*=\s*)\"[^\"]+\"/\1\"$RELEASE_VERSION\"/" "$VERSION_FILE"
else
# Single quotes
sed -i.bak -E "s/^(version\s*=\s*)'[^']+'/\1'$RELEASE_VERSION'/" "$VERSION_FILE"
fi
# Verify the update succeeded
if ! grep -qE "^version\s*=\s*['\"]${RELEASE_VERSION}['\"]" "$VERSION_FILE"; then
echo "Error: Failed to update version in $VERSION_FILE"
exit 1
fi
rm -f "$VERSION_FILE.bak"
}
# Detect changed packages from git diff
detect_changed_packages() {
echo "Detecting changed dependencies..."
# Package name regex per PEP 508: starts with letter/digit, can contain letters, digits, dots, underscores, hyphens
local pkg_pattern='^[-+][a-zA-Z0-9][a-zA-Z0-9._-]*=='
# Try requirements/*.txt files first (pip-compile output format)
CHANGED_PACKAGES=$(git diff --cached requirements/*.txt 2>/dev/null | grep -E "$pkg_pattern" | sed 's/^[+-]//' | sort -u | head -20 || true)
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff requirements/*.txt 2>/dev/null | grep -E "$pkg_pattern" | sed 's/^[+-]//' | sort -u | head -20 || true)
fi
# Try requirements/*.in files (unpinned requirements)
# Strip comments, extras [.*], version specifiers; exclude URLs and flags
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff --cached requirements/*.in 2>/dev/null | grep -E '^[-+][a-zA-Z0-9][a-zA-Z0-9._-]*' | grep -v '^[-+]#' | grep -v '^[-+]-' | grep -v '://' | sed 's/^[+-]//' | sed -E 's/#.*//; s/\[.*//; s/[<>=~].*//' | sed 's/[[:space:]]*$//' | sort -u | head -20 || true)
fi
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff requirements/*.in 2>/dev/null | grep -E '^[-+][a-zA-Z0-9][a-zA-Z0-9._-]*' | grep -v '^[-+]#' | grep -v '^[-+]-' | grep -v '://' | sed 's/^[+-]//' | sed -E 's/#.*//; s/\[.*//; s/[<>=~].*//' | sed 's/[[:space:]]*$//' | sort -u | head -20 || true)
fi
# Try uv.lock if no requirements changes found
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff --cached uv.lock 2>/dev/null | grep -E '^[-+]name\s*=' | sed -E 's/^[-+]name\s*=\s*"([^"]+)"/\1/' | sort -u | head -20 || true)
fi
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff uv.lock 2>/dev/null | grep -E '^[-+]name\s*=' | sed -E 's/^[-+]name\s*=\s*"([^"]+)"/\1/' | sort -u | head -20 || true)
fi
# Try pyproject.toml dependencies section
# Match version specifiers (<>=~^!), extras [, quotes ", commas, or end of line for unversioned
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff --cached pyproject.toml 2>/dev/null | grep -E '^[-+]\s*"?[a-zA-Z0-9][a-zA-Z0-9._-]*([<>=~^!\[",]|$)' | sed -E 's/^[-+]\s*"?([a-zA-Z0-9][a-zA-Z0-9._-]*).*/\1/' | sort -u | head -20 || true)
fi
if [ -z "$CHANGED_PACKAGES" ]; then
CHANGED_PACKAGES=$(git diff pyproject.toml 2>/dev/null | grep -E '^[-+]\s*"?[a-zA-Z0-9][a-zA-Z0-9._-]*([<>=~^!\[",]|$)' | sed -E 's/^[-+]\s*"?([a-zA-Z0-9][a-zA-Z0-9._-]*).*/\1/' | sort -u | head -20 || true)
fi
# Build changelog entry
if [ -n "$CHANGED_PACKAGES" ]; then
PACKAGE_COUNT=$(echo "$CHANGED_PACKAGES" | wc -l | tr -d ' ')
echo "Found $PACKAGE_COUNT changed package(s):"
echo "$CHANGED_PACKAGES" | head -5 | sed 's/^/ - /'
if [ "$PACKAGE_COUNT" -gt 5 ]; then
echo " ... and $((PACKAGE_COUNT - 5)) more"
fi
else
echo "Could not auto-detect packages, using generic entry"
fi
CHANGELOG_ENTRY="- **Security update**: Bumped dependencies to address security vulnerabilities"
echo "Changelog entry: $CHANGELOG_ENTRY"
}
# Update CHANGELOG.md
update_changelog() {
echo "Updating CHANGELOG..."
# Check if CHANGELOG exists
if [[ ! -f "$CHANGELOG_FILE" ]]; then
echo "Warning: CHANGELOG.md not found at $CHANGELOG_FILE, skipping changelog update"
return 0
fi
# Only look for -dev version to rename if CURRENT_VERSION had -dev suffix
if [[ -n "${DEV_SUFFIX:-}" ]]; then
# Look for -dev version header in CHANGELOG that matches our version
DEV_VERSION_HEADER=$(grep -m 1 -F "## $CURRENT_VERSION" "$CHANGELOG_FILE" || true)
if [[ -n "$DEV_VERSION_HEADER" ]]; then
echo "Found dev version in CHANGELOG: $DEV_VERSION_HEADER"
# Extract the -dev version number from header
DEV_VERSION=$(echo "$DEV_VERSION_HEADER" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+-dev[0-9]*")
echo "Renaming CHANGELOG header: $DEV_VERSION → $RELEASE_VERSION"
awk -v dev_version="$DEV_VERSION" \
-v release_version="$RELEASE_VERSION" \
-v security_entry="$CHANGELOG_ENTRY" '
BEGIN {
in_target_version = 0
found_fixes = 0
added_entry = 0
}
/^## / {
if (index($0, "## " dev_version) == 1) {
print "## " release_version
in_target_version = 1
next
} else {
if (in_target_version && !found_fixes && !added_entry) {
print ""
print "### Fixes"
print security_entry
print ""
added_entry = 1
}
in_target_version = 0
found_fixes = 0
}
}
/^### Fixes/ && in_target_version {
print
print security_entry
found_fixes = 1
added_entry = 1
next
}
{ print }
END {
if (in_target_version && !found_fixes && !added_entry) {
print ""
print "### Fixes"
print security_entry
}
}
' "$CHANGELOG_FILE" >"$CHANGELOG_FILE.tmp"
mv "$CHANGELOG_FILE.tmp" "$CHANGELOG_FILE"
else
echo "Warning: Current version has -dev suffix but no matching dev header in CHANGELOG"
create_new_changelog_entry
fi
else
# Current version was already a release, so we bumped to next patch
create_new_changelog_entry
fi
}
create_new_changelog_entry() {
echo "Creating new CHANGELOG entry for $RELEASE_VERSION"
local tmp_file
tmp_file=$(mktemp)
cat >"$tmp_file" <<EOF
## $RELEASE_VERSION
### Fixes
$CHANGELOG_ENTRY
EOF
cat "$tmp_file" "$CHANGELOG_FILE" >"$CHANGELOG_FILE.tmp"
mv "$CHANGELOG_FILE.tmp" "$CHANGELOG_FILE"
rm -f "$tmp_file"
}
# Main execution
detect_version_style
read_current_version
calculate_release_version
if [[ "$VERSION_STYLE" == "python" ]]; then
update_python_version
elif [[ "$VERSION_STYLE" == "pyproject" ]]; then
update_pyproject_version
fi
detect_changed_packages
update_changelog
echo ""
echo "✓ Successfully updated version to $RELEASE_VERSION"
echo "✓ Updated CHANGELOG with security fix entry"
echo ""
echo "Modified files:"
echo " - $VERSION_FILE"
if [[ -f "$CHANGELOG_FILE" ]]; then
echo " - $CHANGELOG_FILE"
fi